now uses regexp for realms including warnings that will be removed later

git-svn-id: https://svn.testnett.uninett.no/radsecproxy/trunk@96 e88ac4ed-0b26-0410-9574-a7f39faa03bf

diff --git a/radsecproxy.c b/radsecproxy.c
index a3d8ff5..079aaa8 100644 (file)
--- a/radsecproxy.c
+++ b/radsecproxy.c
@@ -995,30 +995,6 @@ int msmppdecrypt(uint8_t *text, uint8_t len, uint8_t *shared, uint8_t sharedlen,
 }
 
 struct server *id2server(char *id, uint8_t len) {
-#ifndef REGEXP    
-    int i;
-    char *idrealm;
-    struct server *deflt = NULL;
-    
-    idrealm = strchr(id, '@');
-    if (idrealm) {
-       idrealm++;
-       len -= idrealm - id;
-    } else {
-       idrealm = "-";
-       len = 1;
-    }
-
-    for (i = 0; i < realm_count; i++) {
-       if (!deflt && realms[i].name[0] == '*' && realms[i].name[1] == '\0')
-           deflt = realms[i].server;
-       else if (!strncasecmp(idrealm, realms[i].name, len)) {
-           debug(DBG_DBG, "found matching realm: %s, host %s", realms[i].name, realms[i].server->peer.host);
-           return realms[i].server;
-       }
-    }
-    return deflt;
-#else
     int i;
     for (i = 0; i < realm_count; i++)
        if (!regexec(&realms[i].regex, id, 0, NULL, 0)) {
@@ -1026,7 +1002,6 @@ struct server *id2server(char *id, uint8_t len) {
            return realms[i].server;
        }
     return NULL;
-#endif    
 }
 
 int rqinqueue(struct server *to, struct client *from, uint8_t id) {
@@ -1707,6 +1682,13 @@ void addrealm(char *value, char *server) {
     if (i == server_count)
        debugx(1, DBG_ERR, "addrealm failed, no server %s", server);
 
+    /* temporary warnings */
+    if (*value == '*')
+       debugx(1, DBG_ERR, "Regexps are now used for specifying realms, a string\nstarting with '*' is meaningless, you probably want '.*' for matching everything\nEXITING\n");
+    if (value[strlen(value) - 1] != '$' && value[strlen(value) - 1] != '*') {
+       debug(DBG_ERR, "Regexps are now used for specifying realms, you\nprobably want to rewrite this as e.g. '@example\\.com$' or '\\.com$'\nYou can even do things like '[a-n].*@example\\.com$' to make about half of the\nusers use this server. Note that the matching is case insensitive.\n");
+       sleep(3);
+    }
     realm_count++;
     realms = realloc(realms, realm_count * sizeof(struct realm));
     if (!realms)

diff --git a/radsecproxy.conf-example b/radsecproxy.conf-example
index 62d5836..6e1c055 100644 (file)
--- a/radsecproxy.conf-example
+++ b/radsecproxy.conf-example
@@ -33,6 +33,13 @@ TLSCertificateKeyPassword    follow the white rabbit
 #also the lines above may be in any order, except that a realm
 #can only be configured to use a server that is previously configured.
 
+#Also note that case insensitive regexp is used for realms, matching
+#the entire username string. The matching is done in the order the
+#realms are specified, using the first match found. Some examples are
+#"@example\.com$", "\.com$", ".*" and "[a-z].*@example\.com$".
+#To treat local users separately you might try first specifying "@"
+#and after that ".*".
+
 client 2001:db8::1 {
        type    tls
        secret  verysecret
@@ -50,7 +57,7 @@ server 127.0.0.1 {
        type    UDP
        secret  secret
 }
-realm  eduroam.cc {
+realm  @eduroam\.cc$ {
        server  127.0.0.1
 }
 
@@ -64,16 +71,12 @@ server radius.example.com {
        secret  verysecret
 }
 
-realm example.com {
+realm @example\.com$ {
        server 2001:db8::1
 }
-realm com {
+realm \.com$ {
        server 2001:db8::1
 }
-# Matching of realms is done in the order specified.
-# Except * which is a catch all that is used as a last resort
-# The matching is going to be changed to be regexp of the
-# entire username value
-realm * {
+realm .* {
        server radius.example.com
 }